6. What do you need?
Control over your cloud environment
Provision
resources
Gain
insights
Monitor
and
optimize
7. AWS Management Tools capabilities
Model
and
automate
Gain
visibility
Respond
to
changes
Optimize
Integrate
Control
8. Model your cloud with AWS CloudFormation
Template CloudFormation Stack
JSON/YAML formatted file
Parameter definition
Resource creation
Configuration actions
Configured AWS services
Comprehensive service support
Service event aware
Customizable
Framework
Stack creation
Stack updates
Error detection and rollback
• CloudFormation gives developers and systems administrators an easy way
to create and manage a collection of related AWS resources, provisioning
and updating them in an orderly and predictable fashion
9. AWS CloudFormation key benefits
Infrastructure as Code
Declarative and Flexible
Easy to Use
Supports a Wide Range
of AWS Resources
11. What are StackSets?
Allow creation of a common set of AWS resources
across accounts and regions
Provide a container for a collection of AWS
CloudFormation stacks
Stack 2 : A2, us-west1
Stack 3 : A3, us-west -1
Stack 4: A 4, us-west-1
Stack 5: A5, us-west-1
Stack 1: A1, us-west-1
12. Use cases?
Provisioning multiple accounts with identical AWS
resources
• Set up AWS KMS keys
• Enable AWS CloudTrail
• Standardize Amazon VPCs with peering connections
• Set up common ingress rules
BCDR solutions across multiple regions
• Configure Amazon S3 bucket replication
• Provision Amazon RDS read replicas
14. # Name Description
1.
Generate KMS Encryption Keys Create a master encryption key with the AWS Key Management Service and set key usage permissions.
2.
Enable AWS CloudTrail Enable AWS CloudTrail to provide a history of all API calls and related events.
3.
Enable AWS Config Enable AWS Config to provide an AWS resource inventory, configuration history, and configuration change
notifications to enable security and governance.
4.
Check CloudTrail Enabled Enable an AWS Config rule to check whether AWS CloudTrail is enabled in the account.
5.
Check Root account MFAs Enable an AWS Config rule to check whether the root user requires multi-factor authentication for console sign-
in.
6.
Check EIP attached Enable an AWS Config rule to check whether all EIP addresses allocated to a VPC are attached to EC2
instances or in-use ENIs.
7.
VPC with a single Subnet Creates a VPC with a single subnet and an Internet Gateway.
8.
VPC with Public and Private Subnets Creates a VPC with Public and Private Subnets and an Internet Gateway.
9.
VPC Peering: specific subnets in One VPC with Two VPCs Creates VPCs and sets up a peering connection between specific subnets in One VPC with Two other VPCs
across accounts, in a region.
10.
VPC Peering: One VPC with specific subnets in Two VPCs Creates VPCs and sets up a peering connection between One VPC and specific subnets in Two VPCs, across
accounts, in a region.
11.
VPC Peering: One VPC to instances in Two VPCs Creates VPCs and sets up a peering connection between One VPC to instances in Two VPCs across accounts,
in a region.
12.
VPC Peering: One VPC to instances in multiple VPCs Creates VPCs and sets up a peering connection between One VPC to instances in multiple VPCs.
13.
Create a highly reliable RDS database instance Creates an Amazon RDS database instance with read replicas in multiple AWS regions.
14.
Enable S3 cross region replication Creates AWS Simple Storage bucket with read replicas in multiple AWS regions.
Examples of templates available by default
15. Demo: Start with Existing Template
https://aws.amazon.com/cloudformation/aws-cloudformation-templates/
16. Create catalogs of approved resources with
AWS Service Catalog
• AWS Service Catalog allows organizations to create and manage catalogs
of IT services.
• It enables users to quickly deploy the approved IT services they need in a
self-service manner without access to the underlying services in AWS.
Organizations Developers
Control
Standardization
Governance
Agility
Self-service
Time to market
17. AWS Service Catalog key benefits
Ensure Compliance with Corporate Standards
Help Employees Quickly Find and Deploy Approved IT Services
Centrally Manage IT Service Lifecycle
19. Automate configuration with Amazon EC2
Systems Manager
• Enables automated configuration
• Supports ongoing management of systems at scale
• Works across all of your Windows and Linux workloads
• Runs in Amazon EC2 or on-premises
• Carries no additional charge to use
20. Amazon EC2 Systems Manager key benefits
Support for hybrid
Architecture
Easy to Use
Automation
Improve Visibility
and Control
Maintain Software
Compliance
Reduce Costs Secure Role-Based
Management
21. Amazon EC2 Systems Manager capabilities
State Manager Maintenance WindowInventory
Automation Parameter Store
Run Command
Patch manager
22. Demo - Disk Space Management
Compliance checks:
- required-disk-space:
Checks usage % of each
disk partition of an EC2
instance in an
environment
Send Inventory Request
Notify IT Infrastructure Team
about non-compliance
Trigger Action Output
Compliance
State Manager Run Command Custom
Inventory
AWS
Config
Amazon
SNS
AWS
Lambda
24. AWS OpsWorks
Automate configuration with AWS OpsWorks
for Chef Automate
• Managed Chef Server and Chef Automate
• Suite of automation tools that give you workflow automation for
continuous deployment, automated testing for compliance and
security with Chef
25. What is Chef?
• Configuration Management Software
• Recipes and Cookbooks
• Chef development kit and toolset
• Community
26. Commercial offering from Chef Software
Suite of tools built on top of Chef Configuration Management
• Continuous Deployment Pipeline
• Automated compliance testing
• Visibility
What is Chef Automate?
27. AWS OpsWorks for Chef Automate key benefits
Fully Managed
Chef Server
Programmable Infrastructure Scaling Made Easy
Support from
Active Chef Community
Secure Simple to Manage
Hybrid Environments
28. Gain visibility with AWS Config
• Get inventory of all your AWS resources
• Discover resources that exist in your account and capture configurations
• Provide rules to ensure resource configurations conform to your internal
best practices and guidelines
29. AWS Config key benefits
• Enables you to assess, audit, and evaluate the configurations of your AWS resources
• Continuously monitors and records your AWS resource configurations
• Allows you to automate the evaluation of recorded configurations against desired
configurations with Config rules
Continuous Monitoring
Change Management
Continuous Assessment
Operational Troubleshooting
Benefits
30. AWS Config advanced features
Configurable and Customizable Rules
Configuration History of AWS Resources
• Ensure that all EC2 instances in your cloud infrastructure use AMIs from an
approved list
• Identify managed EC2 instances that are running software packages and
applications that are on the blacklist
• Identify EC2 instances of a specific type or size
• Identify EC2 volumes that are not encrypted.
31. New Feature Launch: AWS Config Dashboard
An overview of your resources and their compliance with AWS Config rules
33. Gain visibility with AWS CloudTrail
• Increase visibility into your user and resource activity
• Discover and troubleshoot security and operational issues by capturing a
comprehensive history of changes that occurred in your AWS account
• Simplify your compliance audits by automatically recording and storing
activity logs for your AWS account
34. AWS CloudTrail key benefits
• Allows you to log, continuously monitor, and retain events related to API calls across your
AWS infrastructure
• Provides a history of AWS API calls for your account, including API calls made through the
AWS Management Console, AWS SDKs, command line tools, and other AWS services
Simplified Compliance
Security Analysis and
Troubleshooting
Visibility Into User and
Resource Activity
Security Automation
Benefits
35. Respond to changes with AWS CloudWatch
• Monitoring service for AWS cloud resources and the applications you
run on AWS.
• You can use Amazon CloudWatch to collect and track metrics, collect
and monitor log files, set alarms, and automatically react to changes
in your AWS resources.
36. AWS CloudWatch key benefits
Monitor Amazon
EC2
Monitor Other
AWS Resources
Monitor Custom
Metrics
Monitor and Store
Logs
Set Alarms View Graphs and
Statistics
38. Optimize with AWS Trusted Advisor
• Get insight into how and
where you can get the most
impact for your AWS spend
• Find opportunities to reduce
your monthly spend and
retain or increase productivity
• Receive guidance on getting
the optimal performance and
availability based on your
requirements
43. Simplified Resource Management
Package AWS native services for business agility
Automation and orchestration of best practices and corporate policies
Guide provisioning choices to balance performance and consumption
Guard against non compliance, reducing risk
Governance and role-based segregation of duties
Monitoring, alerting, auditing
“StackSets presents the opportunity for significant time savings while increasing
adherence to golden configurations across multiple accounts,” - Aater Suleman, Flux7 CEO
44. Playbook: AWS Management
Creation
Compliant Provisioning, Governance
AWS CloudFormation: Infrastructure as Code
Verification
Monitoring and Alerting
AWS Config, ConfigRules
AWS CloudTrail
Validation
Auditing
Trusted Advisor/Security
Advisor
AWS CloudTrail, ConfigRules
- Shifts ownership of dependencies to developers
- Creates consistency
- Software defined
infrastructure
- Codifies corporate policies
- Identify non-compliant
configuration changes
- Baseline for best practices
-Wide net of best practices
Custom resource support
Governance Export to 3rd party or ELK
based set up for analysis
Reduce risk by catching
common errors:
- Unused instances
- Open firewalls
Core
Function
Key
Benefit
Power
Usage